Skip to main content

Information Security: Vulnerabilities in DOE's Systems for Unclassified Civilian Research

AIMD-00-140 Published: Jun 09, 2000. Publicly Released: Jun 30, 2000.
Jump To:
Skip to Highlights

Highlights

Pursuant to a congressional request, GAO reviewed the security of the Department of Energy's (DOE) unclassified information systems that support its civilian research programs, focusing on: (1) whether DOE's unclassified systems for civilian research are vulnerable to unauthorized access; (2) whether DOE is effectively managing information systems security; and (3) what DOE is doing to address the risk of unauthorized access to unclassified systems for civilian research.

Recommendations

Recommendations for Executive Action

Agency Affected Sort descending Recommendation Status
Department of Energy The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should develop a clear and comprehensive line management oversight process to continuously monitor and enforce the laboratories' compliance with departmentwide policy and the effectiveness of established controls. The process should include audits and reviews and establish clear roles and responsibilities for each organization in the line management chain and procedures for tracking identified vulnerabilities and for ensuring that follow-up actions are implemented.
Closed – Implemented
DOE stated a clear process and structure to monitor and enforce laboratory compliance with DOE-wide policy has been implemented by the Office of Science. For example, DOE Notice 205.1 requires each laboratory to develop and implement cyber security protection plans that requires approval from management. In addition, the progress of cyber security improvements by DOE sites is monitored by the laboratories' operations office through monthly reports. Also, cyber security has been added as a topic for the annual on-site reviews of the planning process. There are also continuous efforts underway by its IG and independent oversight counsel to inspect the agency's unclassified networks.
Department of Energy The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should establish mechanisms to enforce reporting of all serious security incidents to DOE's Computer Incident Advisory Capability. Further, the Chief Information Officer (CIO) should establish and issue guidelines to clarify what types of incidents must be reported. At a minimum, these types must include all incidents that could adversely affect scientific research through compromises of mission data or computational resources.
Closed – Implemented
DOE reported that it published DOE Notice 205.1, Unclassified Cyber Security Programs, that provides policy, enforcement, and management responsibilities to DOE organizations and DOE Notice 205.4, Incident Warning and Reporting Manual,to address this recommendation.
Department of Energy The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should establish guidelines for determining the sensitivity of electronic information and the extent to which such information should be publicly accessible through the Internet and establish management oversight processes to ensure compliance with this guidance.
Closed – Implemented
DOE reported that it published DOE Order 241.1 and DOE Guide 241.1, Scientific and Technical Information Management, to address the GAO recommendation relating to determination of sensitivity of computer information and internet access to that information.
Department of Energy The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should ensure that headquarters-based reviews identify and correct shortcomings in draft annual security plans prepared by the science laboratories. Specifically, the plans should identify which systems are critical for the laboratories to achieve their scientific missions and how these systems are interconnected, both within the lab and externally. The plans should also outline the procedures used by the laboratories to assess threats and vulnerabilities and regularly test whether the countermeasures employed to protect these systems are effective in mitigating identified risks.
Closed – Implemented
DOE reported that it published DOE Notice 205.1, Unclassified Cyber Security Programs, that provides policy, enforcement, and management responsibilities to DOE organizations to address this recommendation.
Department of Energy The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should develop a mechanism for effectively integrating skills and expertise of staff at the DOE laboratories in the development of official policy and guidance. The CIO should consider chartering the existing System of Laboratories Computer Coordinating Committee Technical Working Group in this capacity.
Closed – Implemented
DOE reported that it chartered a cyber security policy working group, including senior line management and security experts, to address the GAO recommendation relating to integrating the skills and expertise of staff at DOE labs in developing official policy and guidance. DOE reported that this working group had met quarterly for the past year, as of September 2002.
Department of Energy The Secretary of Energy should take immediate steps to strengthen the management of the department's unclassified computer security program. Specifically, the Secretary of Energy should: (1) establish guidelines for a consistent risk-based approach to IT security management; (2) require all of DOE's scientific laboratories to identify all their critical systems and formally assess the potential threats and vulnerabilities of each system before operation, upon significant change, or at least every 3 years; and (3) require that managers document that this process has been followed, what level of protection they have determined is appropriate, what controls they have selected to provide this protection, and that they accept responsibility for any residual risks.
Closed – Implemented
DOE reported that it completed developing cyber security program plans for all its major programs and organizations to address GAO's recommendation pertaining to establishing a consistent risk-based approach.
Office of the Chief Information Officer (DOD CIO) The DOE CIO should: (1) review the specific vulnerabilities and suggested actions provided to laboratory Computer Protection Program Managers at the conclusion of GAO's testing; (2) determine and implement appropriate security countermeasures; and (3) track the implementation and disposition of these actions.
Closed – Implemented
The DOE science laboratories closed all identified security weaknesses.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer crimesComputer security policiesComputer securityConfidential communicationsCyber securityEnergy researchInformation resources managementInformation securityInformation technologyInternetLaboratoriesSecurity policies